OTPulse

Mitsubishi Electric MELSEC iQ-R Series

MonitorCVSS 7.4ICS-CERT ICSA-21-250-01Sep 7, 2021
Mitsubishi ElectricEnergy
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary

MELSEC iQ-R Safety CPUs and SIL2 Process CPUs contain vulnerabilities (CWE-200 exposure of sensitive data, CWE-522 insufficiently protected credentials, CWE-645 overly restrictive allowlist) that allow a remote attacker on the network to extract legitimate user credentials or gain unauthorized access without authentication. Successful exploitation could grant an attacker the ability to modify safety-critical logic, alter control system behavior, or deny access to legitimate operators. The vulnerabilities affect firmware version 26 or earlier on Safety CPUs and version 11 or earlier on SIL2 Process CPUs. All versions of these products are vulnerable.

What this means
What could happen
An attacker with network access could extract legitimate user credentials from the Safety CPU or SIL2 Process CPU, potentially gaining unauthorized access to modify safety-critical logic or lock out legitimate operators from the control system.
Who's at risk
Energy sector organizations operating Mitsubishi Electric MELSEC iQ-R Safety CPUs (R08/R16/R32/R120SFCPU) or SIL2 Process CPUs (R08/R16/R32/R120PSFCPU) in water treatment plants, electric substations, or other critical infrastructure should be concerned. These are safety-critical controllers used to manage emergency shutdowns, interlocks, and hazard prevention logic.
How it could be exploited
An attacker on the network sends a request to the Ethernet port of a MELSEC iQ-R Safety CPU or SIL2 Process CPU. The device responds with credential information or allows unauthorized access without proper authentication. The attacker can then use extracted credentials to log in and modify the safety logic, setpoints, or deny access to legitimate users.
Prerequisites
  • Network connectivity to the Ethernet port of the MELSEC iQ-R CPU (port unspecified in advisory)
  • No valid credentials required to extract user information
  • Device must be running vulnerable firmware version 26 or earlier (Safety CPU) or version 11 or earlier (SIL2 Process CPU)
remotely exploitableaffects safety systemsno patch availableno authentication required for credential extraction
Exploitability
Unlikely to be exploited — EPSS score 0.9%
Affected products (16)
16 EOL
ProductAffected VersionsFix Status
MELSEC iQ-R series Safety CPU R16SFCPU Firmware: <=26≤ 26No fix (EOL)
MELSEC iQ-R series Safety CPU R16SFCPU: vers:all/*All versionsNo fix (EOL)
MELSEC iQ-R series Safety CPU R32SFCPU Firmware: <=26≤ 26No fix (EOL)
MELSEC iQ-R series Safety CPU R32SFCPU: vers:all/*All versionsNo fix (EOL)
MELSEC iQ-R series Safety CPU R120SFCPU Firmware: <=26≤ 26No fix (EOL)
Remediation & Mitigation
0/6
Do now
0/4
WORKAROUNDImplement network firewall rules to block all inbound access to MELSEC iQ-R Ethernet ports from untrusted networks and hosts
WORKAROUNDDeploy a VPN requirement for any remote access to the control network containing MELSEC iQ-R devices
WORKAROUNDEnable and configure the IP filter function on each MELSEC iQ-R CPU to restrict access to known, authorized engineering workstations only
WORKAROUNDReset all user passwords via USB connection rather than over the network to prevent credential exposure during password entry
Mitigations - no patch available
0/2
The following products have reached End of Life with no planned fix: MELSEC iQ-R series Safety CPU R16SFCPU Firmware: <=26, MELSEC iQ-R series Safety CPU R16SFCPU: vers:all/*, MELSEC iQ-R series Safety CPU R32SFCPU Firmware: <=26, MELSEC iQ-R series Safety CPU R32SFCPU: vers:all/*, MELSEC iQ-R series Safety CPU R120SFCPU Firmware: <=26, MELSEC iQ-R series Safety CPU R120SFCPU: vers:all/*, MELSEC iQ-R series SIL2 Process CPU R08PSFCPU Firmware: <=11, MELSEC iQ-R series SIL2 Process CPU R16PSFCPU Firmware: <=11, MELSEC iQ-R series SIL2 Process CPU R16PSFCPU: vers:all/*, MELSEC iQ-R series SIL2 Process CPU R32PSFCPU Firmware: <=11, MELSEC iQ-R series SIL2 Process CPU R32PSFCPU: vers:all/*, MELSEC iQ-R series SIL2 Process CPU R120PSFCPU Firmware: <=11, MELSEC iQ-R series SIL2 Process CPU R120PSFCPU: vers:all/*, MELSEC iQ-R series SIL2 Process CPU R08PSFCPU: vers:all/*, MELSEC iQ-R series Safety CPU R08SFCPU Firmware: <=26, MELSEC iQ-R series Safety CPU R08SFCPU: vers:all/*. Apply the following compensating controls:
HARDENINGSegment MELSEC iQ-R devices into an isolated LAN with restricted inbound connectivity from untrusted sources
HARDENINGMonitor network traffic to the MELSEC iQ-R Ethernet ports for suspicious login attempts or unauthorized access patterns
View full CISA ICS-CERT advisory
API: /api/v1/advisories/9e5ca5b1-034d-4d68-aaa6-879d1965da1d

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

Mitsubishi Electric MELSEC iQ-R Series | CVSS 7.4 - OTPulse